Balancing Security and Convenience

At SitePen, we value amazing user experiences. Once in a while, you see an elegant solution to a problem that has annoyed users for years.

For most consumer web sites and web applications, logging a user out of a service after a certain amount of inactivity is not very important, and does more to annoy a user than anything else. In the enterprise or when using bank web sites, security is a far greater concern, and most services resort to logging users out automatically after 15 or 30 minutes of inactivity. This is especially frustrating for users of advanced web apps, which might require several clicks to restore the user interface back to the state it was in before the session timed out.

NetSuite takes a decidedly different approach to balancing convenience with security. After a period of inactivity, the user interface is locked with a dialog asking the user to re-enter their password to resume their session.

This does a great job of handling the security issue of users walking away from the screen, and presumably they have added code on the server-side to lock changes until the session is restored. This seems like a really good compromise between convenience and security, assuming that this approach is secure.

Comments

The key of course is whether they truly disable this on the serverside as well during this time period. Otherwise, of course, its easily bypassable. I’d like to think that it would be a safe assumption that this is the case, but you know what they say about assumptions…

Hi there,
we use salesorder.com which takes a similar approach to Netsuite. However, salesorder.com’s user interface design ensure the state is preseved by default. Moreover given that the information displayed in the current work area may be sensitive (e.g. the company balance sheet!) salesorder.com ensures this information is not visible.

Another security feature in salesorder.com is the ability to add a company wide security code, on top of the usual login information. This is very useful when, for example, employees leave and you want ensure old login’s cannot be re-used.